Modifying apache configuration to the following should take care of it. The SSLProtocol directive disables SSLv2 and SSLv3 and leaves other on.
SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
On Thu, Oct 16, 2014 at 7:41 PM, James B. Byrne byrnejb@harte-lyne.ca wrote:
According to the centos wiki:
Validating Changes
You can use Qualys SSL Labs to verify that your web server is no longer vulnerable to POODLE or TLS_FALLBACK_SCSV once all action is complete. You might also want to only use TLSv1.2 for httpd on CentOS-6.5 (or higher) and CentOS-7, while using TLSv1 on CentOS-5.
However, on my up-to-datestock CentOS-6.5 the httpd version is 2.2.15 and attems to use SSLProtocols greater than v1 yield this error:
Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf: SSLProtocol: Illegal protocol 'TLSv1.1'
I presume that the wiki is in error but I would like confirmation of that or instructions on how to enable TLSv1.1 and 1.2 on CentOS-6.5.
-- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos